[LON-CAPA-cvs] cvs: loncom /cgi lonauthcgi.pm ping.pl /lonnet/perl lonnet.pm

raeburn raeburn at source.lon-capa.org
Mon Oct 17 13:23:29 EDT 2011


raeburn		Mon Oct 17 17:23:29 2011 EDT

  Modified files:              
    /loncom/cgi	lonauthcgi.pm ping.pl 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - Rights to run /cgi-bin/ping.pl on any server in the cluster, from any other host 
    in the cluster. 
  - For scripts using lonauthcgi::check_ipbased_access(), access permitted for both 127.0.0.1
    and also if remote IP is same as IP of host server.
  - check_domain_ip() - new routine: allows access to scripts from any server which belongs
    to the same domain as the host server.
  - update POD for check_ipbased_access().
  - Add new global hash: Apache::lonnet::managerstab to store contents of: 
    /home/httpd/lonTabs/managers.tab, loaded within BEGIN {} block.
  - No automatic access to toggledebug and takeoffline items from server listed in 
    managers.tab (unlike other keys in %serverstatus_titles).
  
  
-------------- next part --------------
Index: loncom/cgi/lonauthcgi.pm
diff -u loncom/cgi/lonauthcgi.pm:1.7 loncom/cgi/lonauthcgi.pm:1.8
--- loncom/cgi/lonauthcgi.pm:1.7	Fri Oct 14 20:50:54 2011
+++ loncom/cgi/lonauthcgi.pm	Mon Oct 17 17:23:25 2011
@@ -1,7 +1,7 @@
 #
 # LON-CAPA authorization for cgi-bin scripts
 #
-# $Id: lonauthcgi.pm,v 1.7 2011/10/14 20:50:54 raeburn Exp $
+# $Id: lonauthcgi.pm,v 1.8 2011/10/17 17:23:25 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,7 +32,7 @@
 
 =head1 NAME
 
-loncgi
+lonauthcgi
 
 =head1 SYNOPSIS
 
@@ -59,7 +59,6 @@
 use Apache::lonnet;
 use Apache::lonlocal;
 use LONCAPA;
-use LONCAPA::Configuration();
 
 #############################################
 #############################################
@@ -74,11 +73,16 @@
         $ip, the IP address of the client requesting the page.
 
 Returns: 1 if access is permitted for the requestor's IP.
-         Access is allowed if on of the following is true:
-         (a) the requestor IP is the loopback address
-         (b) Domain configurations for domains hosted on this server include
+         Access is allowed if one of the following is true:
+         (a) the requestor IP is the loopback address.
+         (b) the requestor IP is the IP of the current server.
+         (c) the requestor IP is the IP of a manager,
+             if the page to view is not "takeoffline" or "toggledebug" 
+         (d) the requestor IP is the IP of a server belonging 
+             to a domain included in domains hosted on this server.
+         (e) Domain configurations for domains hosted on this server include
              the requestor's IP as one of the specified IPs with access
-             to this page. (does not apply to 'ping' page type)
+             to this page. (not applicable to 'ping' page).
 
 =cut
 
@@ -90,13 +94,24 @@
     if (!defined($ip)) {
         $ip = $ENV{'REMOTE_ADDR'};
     }
-    if (($page ne 'lonstatus') && ($page ne 'serverstatus')) {
-        if ($ip eq '127.0.0.1') {
+    if ($ip eq '127.0.0.1') {
+        $allowed = 1;
+        return $allowed;
+    } else {
+        my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
+        my $host_ip = &Apache::lonnet::get_host_ip($lonhost);
+        if (($host_ip ne '') && ($host_ip eq $ip)) {
             $allowed = 1;
             return $allowed;
         }
     }
     if (&is_manager_ip($ip)) {
+        unless (($page eq 'toggledebug') || ($page eq 'takeoffline')) {
+            $allowed = 1;
+            return $allowed;
+        }
+    }
+    if (&check_domain_ip($ip)) {
         $allowed = 1;
         return $allowed;
     }
@@ -123,40 +138,82 @@
 #############################################
 #############################################
 
+=pod
+
+=item is_manager_ip()
+
+Inputs: $remote_ip, the IP address of the client requesting the page.
+
+Returns: 1 if the client IP address corresponds to that of a 
+         machine listed in /home/httpd/lonTabs/managers.tab
+
+=cut
+
+#############################################
+#############################################
 sub is_manager_ip {
     my ($remote_ip) = @_;
     return if ($remote_ip eq '');
     my ($directory,$is_manager);
-    my $config=LONCAPA::Configuration::read_conf();
-    if (ref($config) eq 'HASH') {
-        $directory = $config->{'lonTabDir'};
+    foreach my $key (keys(%Apache::lonnet::managerstab)) {
+        my $manager_ip;
+        if ($key =~ /:/) {
+            my ($cluname,$dnsname) = split(/:/,$key);
+            my $ip = gethostbyname($dnsname);
+            if (defined($ip)) {
+                $manager_ip = inet_ntoa($ip);
+            }
+        } else {
+            $manager_ip = &Apache::lonnet::get_host_ip($key);
+        }
+        if (defined($manager_ip)) {
+            if ($remote_ip eq $manager_ip) {
+                $is_manager = 1;
+                last;
+            }
+        }
     }
-    if (defined($directory)) {
-        if (open(MANAGERS, "$directory/managers.tab")) {
-            while(my $host = <MANAGERS>) {
-                chomp($host);
-                next if ($host =~ /^\#/);
-                my $ip = &Apache::lonnet::get_host_ip($host);
-                if (defined($ip)) {
-                    if ($remote_ip eq $ip) {
-                        $is_manager = 1;
-                        last;
-                    }
-                } else {
-                    my ($cluname,$dnsname) = split(/:/, $host);
-                    $ip = gethostbyname($dnsname);
-                    if (defined($ip)) {
-                        my $hostip = inet_ntoa($ip);
-                        if ($hostip = $remote_ip) {
-                            $is_manager = 1;
+    return $is_manager;
+}
+
+#############################################
+#############################################
+
+=pod
+
+=item check_domain_ip()
+
+Inputs: $remote_ip, the IP address of the client requesting the page.
+
+Returns: 1 if the client IP address is for a machine in the cluster
+         and domain in common for client machine and this machine.
+
+=cut
+
+#############################################
+#############################################
+sub check_domain_ip {
+    my ($remote_ip) = @_;
+    my %remote_doms;
+    my $allowed;
+    if ($remote_ip ne '') {
+        if (&Apache::lonnet::hostname($remote_ip) ne '') {
+            my @poss_domains = &Apache::lonnet::current_machine_domains();
+            if (@poss_domains > 0) {
+                my @remote_hosts = &Apache::lonnet::get_hosts_from_ip($remote_ip);
+                foreach my $hostid (@remote_hosts) {
+                    my $hostdom = &Apache::lonnet::host_domain($hostid);
+                    if ($hostdom ne '') {
+                        if (grep(/^\Q$hostdom\E$/, at poss_domains)) {
+                            $allowed = 1;
+                            last;
                         }
                     }
                 }
             }
-            close(MANAGERS);
         }
     }
-    return $is_manager;
+    return $allowed;
 }
 
 #############################################
@@ -178,14 +235,12 @@
              the requestor as one of the named users (username:domain) with access
              to the page.
 
-         In the case of requests for the 'ping' page, access is also allowed if
-         at least one domain hosted on requestor's server is also hosted on this server.
-
          In the case of requests for the 'showenv' page (/adm/test), the domains tested
          are not the domains hosted on the server, but instead are a single domain - 
          the domain of the requestor.  In addition, if the requestor has an active 
          Domain Coordinator role for that domain, access is permitted, regardless of  
          the requestor's current role.
+
 =cut
 
 #############################################
@@ -195,16 +250,6 @@
     my $allowed;
     if ($Apache::lonnet::env{'request.role'} =~ m{^su\./}) {
         $allowed = 1;
-    } elsif ($page eq 'ping') {
-        my @poss_domains = &Apache::lonnet::current_machine_domains();
-        my @hostids= &Apache::lonnet::get_hosts_from_ip($ENV{'REMOTE_ADDR'});
-        foreach my $hostid (@hostids) {
-            my $hostdom = &Apache::lonnet::host_domain($hostid);
-            if (grep(/^\Q$hostdom\E$/, at poss_domains)) {
-                $allowed = 1;
-                last;
-            }
-        }
     } else {
         my @poss_domains;
         if ($page eq 'showenv') {
@@ -251,7 +296,7 @@
 
 =pod
 
-=unauthorized_msg()
+=item unauthorized_msg()
 
 Inputs: $page, the identifier of the page to be viewed,
         can be one of the keys in the hash from &serverstatus_titles()
@@ -321,6 +366,10 @@
     return \%titles;
 }
 
+=pod
 
-1;
+=back
 
+=cut
+
+1;
Index: loncom/cgi/ping.pl
diff -u loncom/cgi/ping.pl:1.8 loncom/cgi/ping.pl:1.9
--- loncom/cgi/ping.pl:1.8	Thu Dec 25 01:56:03 2008
+++ loncom/cgi/ping.pl	Mon Oct 17 17:23:25 2011
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 # ping cgi-script
-# $Id: ping.pl,v 1.8 2008/12/25 01:56:03 raeburn Exp $
+# $Id: ping.pl,v 1.9 2011/10/17 17:23:25 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -38,19 +38,28 @@
 &main();
 
 sub main {
-    if (!&LONCAPA::lonauthcgi::check_ipbased_access('ping')) {
-        if (!&LONCAPA::loncgi::check_cookie_and_load_env()) {
-            return;
+    my $remote_ip = $ENV{'REMOTE_ADDR'};
+    my $allowed;
+    my @hosts = &Apache::lonnet::get_hosts_from_ip($remote_ip);
+    if (@hosts > 0) {
+        $allowed = 1;
+    } elsif (&LONCAPA::lonauthcgi::check_ipbased_access('ping',$remote_ip)) {
+        $allowed = 1;
+    } elsif (&LONCAPA::loncgi::check_cookie_and_load_env()) {
+        if (&LONCAPA::lonauthcgi::can_view('ping')) {
+            $allowed = 1;
         }
-
-        if (!&LONCAPA::lonauthcgi::can_view('ping')) {
-            return;
+    }
+    if ($allowed) {
+        my $testhost=$ENV{'QUERY_STRING'};
+        $testhost=~s/\W//g;
+        if (&Apache::lonnet::hostname($testhost) ne '') {
+            print &Apache::lonnet::reply('ping',$testhost)."\n";
+        } else {
+            print 'unknown_host';
         }
+    } else {
+        print 'forbidden';
     }
-
-    my $testhost=$ENV{'QUERY_STRING'};
-    $testhost=~s/\W//g;
-
-    print &Apache::lonnet::reply('ping',$testhost)."\n";
     return;
 }
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1137 loncom/lonnet/perl/lonnet.pm:1.1138
--- loncom/lonnet/perl/lonnet.pm:1.1137	Mon Oct 17 15:35:07 2011
+++ loncom/lonnet/perl/lonnet.pm	Mon Oct 17 17:23:29 2011
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1137 2011/10/17 15:35:07 raeburn Exp $
+# $Id: lonnet.pm,v 1.1138 2011/10/17 17:23:29 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -76,7 +76,8 @@
 use Image::Magick;
 
 use vars qw(%perlvar %spareid %pr %prp $memcache %packagetab $tmpdir
-            $_64bit %env %protocol %loncaparevs %serverhomeIDs %needsrelease);
+            $_64bit %env %protocol %loncaparevs %serverhomeIDs %needsrelease
+            %managerstab);
 
 my (%badServerCache, $memcache, %courselogs, %accesshash, %domainrolehash,
     %userrolehash, $processmarker, $dumpcount, %coursedombuf,
@@ -10984,6 +10985,22 @@
     }
 }
 
+# ---------------------------------------------------------- Read managers table
+{
+    if (-e "$perlvar{'lonTabDir'}/managers.tab") {
+        if (open(my $config,"<$perlvar{'lonTabDir'}/managers.tab")) {
+            while (my $configline=<$config>) {
+                chomp($configline);
+                next if ($configline =~ /^\#/);
+                if (($configline =~ /^[\w\-]+$/) || ($configline =~ /^[\w\-]+\:[\w\-]+$/)) {
+                    $managerstab{$configline} = 1;
+                }
+            }
+            close($config);
+        }
+    }
+}
+
 # ------------- set up temporary directory
 {
     $tmpdir = LONCAPA::tempdir();


More information about the LON-CAPA-cvs mailing list